Skip to content

SAML Configuration XML

SAML configuration may be specified as XML in a separate XML file (e.g. saml-config.xml).

The default SAML initialization automatically loads the SAML configuration from the saml.config file in the application's root folder.

Local Service Provider Example

The following example configures a local service provider and a single partner identity provider.

<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
  <ServiceProvider
    Name="https://ExampleServiceProvider"
    Description="Example Service Provider"
    AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx">
    <LocalCertificates>
      <Certificate FileName="Certificates\sp.pfx" Password="password"/>
    </LocalCertificates>
  </ServiceProvider>

  <PartnerIdentityProviders>
    <!-- Web forms example -->
    <PartnerIdentityProvider 
      Name="https://ExampleIdentityProvider"
      Description="Example Identity Provider"
      SingleSignOnServiceUrl="https://localhost:44390/SAML/SSOService.aspx"
      SingleLogoutServiceUrl="https://localhost:44390/SAML/SLOService.aspx">
      <PartnerCertificates>
        <Certificate FileName="Certificates\idp.cer"/>
      </PartnerCertificates>
    </PartnerIdentityProvider>
  </PartnerIdentityProviders>
</SAMLConfiguration>

Local Identity Provider Example

The following example configures a local identity provider and a single partner service provider.

<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
  <IdentityProvider
    Name="https://ExampleIdentityProvider"
    Description="Example Identity Provider">
    <LocalCertificates>
      <Certificate FileName="Certificates\idp.pfx" Password="password"/>
    </LocalCertificates>
  </IdentityProvider>

  <PartnerServiceProviders>
    <!-- Web forms example -->
    <PartnerServiceProvider
      Name="https://ExampleServiceProvider"
      Description="Example Service Provider"
     AssertionConsumerServiceUrl="https://localhost:44338/SAML/AssertionConsumerService.aspx"
      SingleLogoutServiceUrl="https://localhost:44338/SAML/SLOService.aspx">
      <PartnerCertificates>
        <Certificate FileName="Certificates\sp.cer"/>
      </PartnerCertificates>
    </PartnerServiceProvider>
  </PartnerServiceProviders>
</SAMLConfiguration>

XML Schema

The XML schema may be used to enable Visual Studio IntelliSense when editing SAML configuration.

Creating SAML Configuration

The CreateConfiguration console application project may be used to generate SAML configuration for a local service provider or identity provider.

CreateConfiguration may be run as follows.

CreateConfiguration.exe

It will prompt for various input required to generate the SAML configuration.

The prompts will vary depending on whether service provider or identity provider configuration is to be generated.

Typically the generated XML is added to the application's saml.config.

Local Service Provider

The following prompts are displayed when generating a local service provider configuration.

Create Identity Provider or Service Provider configuration (IdP | SP):

Specify service provider (SP) configuration is to be generated.

Name:

Specify a name that uniquely identifies the local service provider.

For maximum compatibility, a URL is recommended.

For example, it could be the URL of the web application although it doesn't necessarily have to point to a web resource.

Assertion Consumer Service URL [None]:

Specify the assertion consumer service URL.

This is the service provider endpoint that will receive SAML responses.

Normally this input should be specified.

Single Logout Service URL [None]:

Specify the single logout service URL.

This is the service provider endpoint that will receive SAML logout messages.

If SAML logout will not be supported, this input is not required.

X.509 signature certificate PFX file [None]:

Specify the path to the X.509 certificate file (i.e. PFX file) whose private key will be used for generating signatures.

If SAML messages will be signed, a signature certificate PFX is required.

X.509 certificate PFX password [None]:

Specify the password that protects the PFX file.

SAML configuration file [saml.config]:

Specify the file where the generated SAML configuration will be saved.

Local Identity Provider

The following prompts are displayed when generating a local identity provider configuration.

Create Identity Provider or Service Provider configuration (IdP | SP):

Specify identity provider (IdP) configuration is to be generated.

Name:

Specify a name that uniquely identifies the local identity provider.

For maximum compatibility, a URL is recommended.

For example, it could be the URL of the web application although it doesn't necessarily have to point to a web resource.

Single Sign-On Service URL [None]:

Specify the single sign-on service URL.

This is the identity provider endpoint that will receive SAML authentication requests.

If SP-initiated SSO will not be supported, this input is not required.

Single Logout Service URL [None]:

Specify the single logout service URL.

This is the identity provider endpoint that will receive SAML logout messages.

If SAML logout will not be supported, this input is not required.

X.509 signature certificate PFX file [None]:

Specify the path to the X.509 certificate file (i.e. a PFX file) whose private key will be used for generating signatures.

The identity provider should sign either the SAML response or assertion and so a signature certificate PFX is normally required.

X.509 certificate PFX password [None]:

Specify the password that protects the PFX file.

SAML configuration file [saml.config]:

Specify the file where the generated SAML configuration will be saved.